The 2004 ISA firewall would allow per user authentication on site to
site VPN tunnels so that each branch office user must authenticate
before being given access to a particular server and a particular
protocol on a server at the main office, or any of the branch offices,
if you choose to allow routes from one branch office to another.
HTH,
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Shane Mahon [mailto:smahon@newsstand.com]
Sent: Thursday, September 16, 2004 8:18 PM
To: 'Wozny, Scott (US - New York)'; Chris Tyler;
firewalls@securityfocus.com
Subject: RE: 1 VPN client only through PIX
PIX 506E supports 25 simultaneous site-to-site or remote access VPN
peers.
Setting up a site-to-site between the PIX and a 3000-series concentrator
is
fairly straightforward. That would be the easiest way to solve this
problem, but it wouldn't provide for individual authentication of users
like
using the software option on each PC would.
-----Original Message-----
From: Wozny, Scott (US - New York) [mailto:swozny@deloitte.com]
Sent: Thursday, September 16, 2004 9:42 AM
To: Chris Tyler; firewalls@securityfocus.com
Subject: RE: 1 VPN client only through PIX
You can set up the concentrator to terminate IPSec tunnels
encapsulated in another PATable protocol but the key is to
make sure the client station is originating tunnels in that
protocol too. If I were in your shoes the first thing I'd do
is get a trace of the client attempting to make a connection
to make sure it really was IPSec inside UDP it was using to
make the requests.
Alternatively, I'm not sure if the 506E is capable of it, but
in a situation like this I'd be tempted to set up a site to
site tunnel to avoid dealing with the headache of client
software (unless you're in an insecure operating environment
like wireless or shared infrastructure).
Good luck,
Scott
-----Original Message-----
From: Chris Tyler [mailto:chris.tyler@inatpower.com]
Sent: Wednesday, September 15, 2004 9:33 AM
To: firewalls@securityfocus.com
Subject: 1 VPN client only through PIX
We have remote Cisco VPN clients 4.0.2, connecting through a
PIX 506E which is doing PAT, attaching to Cisco VPN
concentrator . The first client can connect fine but no other
users can then connect and no traffic is seen at the
concentrator. I cannot access the remote PIX but from what I
have seen if you disconnect the client and wait for the
translate to clear another client can then connect. My
assumption waS/is that this is an IPSec and PAT problem on
the PIX. I therefore enabled both IPsec over UDP and IPSec
with NAT-T on the concentrator and had the relevant ports on
the PIX opened up however this does not appear to have solved
the problem.
Any ideas gratefully received.
Chris
Chris Tyler
--------------------------------------------------------------
----------
---------------------------------------
Throughout the year International Power support Crisis, Sight
Savers and the Queen Elizabeth Foundation as part of their
Charitable giving policy. Please note that neither
International Power plc nor the sender
accepts any responsibility for any viruses that may be contained in
this e-mail or its attachments. This message and any
attachments are confidential. If you are not the intended
recipient, please telephone or e-mail the sender, delete this
message and any
attachment from your system. If you are not the intended recipient
you must not copy this message or attachment or disclose the
contents to any other person.
--------------------------------------------------------------
----------
---------------------------------------
This message (including any attachments) contains
confidential information intended for a specific individual
and purpose, and is protected by law. If you are not the
intended recipient, you should delete this message. Any
disclosure, copying, or distribution of this message, or the
taking of any action based on it, is strictly prohibited.
